±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 34321
New Yesterday: 7 Visitors: 137

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Yahoo ID - Yahoo PhotoSharing

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Yahoo ID - Yahoo PhotoSharing

Post Posted: Thu Feb 14, 2013 10:00 am

Hello, I’ve located IIoC in:

ProgramData\Yahoo!\Messenger\PhotoSharing\S2a23

however I am unable to locate the Yahoo ID this folder refers to. Using keyword searches in EnCase, I have found 5 Yahoo IDs so used IEF to decrypt the chat logs, however there is nothing of note in the chat logs that helps in determining which Yahoo ID made the images available for sharing.

Thank you if you are able to assist me  

oreo
Newbie
 
 
  

Re: Yahoo ID - Yahoo PhotoSharing

Post Posted: Thu Feb 14, 2013 2:28 pm

From research within the office we found the following:

-- When the other user shared images with me, all the images appeared in my PhotoSharing folder with blahblah_m.jpg - this was a large version of the image

-- When I shared images with the other user, all the images appeared in my PhotoSharing folder in 2 formats - large version yaddyyadda_m.jpg and then a wee thumbnail version yaddyyadda_t.jpg

-- The presence in the folder of an _m and _t pairing indicates that the computer that this pairing appears on shared (distributed) with another user.

Doesn't really help with WHO shared the items, although can you date them to the time of active chats?

Also, I take it you don't have a network_user.log? Or at least, a useful one?

Edit: (further thoughts)

We actually found that Y!Messenger was pretty good at deleting this folder when the chat session was closed. Further investigation showed a Report.wer file for Yahoo Messenger created shortly after these images - indicating that Y!Msg crashed and so didn't delete the folder as normal. Is this the case for you?

ALSO: the reason I ask about network_user.log is that it can be extremely valuable - it stores base 64 thumbnails of shared images, including both the sender and receiver IDs.  

Chris_Ed
Senior Member
 
 
  

Re: Yahoo ID - Yahoo PhotoSharing

Post Posted: Thu Mar 07, 2013 11:25 pm

Hi Chris,

Further to this thread, I've noticed that using Yahoo v. 10.0.0.1102, the option to Save Out picutres is available within Yahoo.

As you say there are two files to look out for --_m.jpg and --_t.jpg within the respective "PhotoSharing" folders.

When these files are in the user's cache they can be saved out to say "My Pictures", perhaps while the chat is still active. In doing so, the random file name is converted to the original file name to the users "My Pictures" folder.

The MD5 hash value should match that of the --_m.jpg version (as stored within the cache folders) and the "My Pictures" version. Therefore, you could perform a hash test over all files to see if the user saved these elsewhere.

My question Chris, have you been able to find a decent log parser for this log file - or did you have much sucsess in decoding the BASE64 images.

I have keyword searched this file (network_user.log) for the headers documented in Steve Buntins post and had no hits;

www.stevebunting.org/u...base64.htm

I just want to make sure I haven't missed something. Can you confirm that the headers Steve has documented are the ones you saw?

I can see file references to potential IIOC so I am keen in confirming this as the OC wants to know who shared what - and I haven't got any chat logs for Yahoo around the d+t in question when IIOC was created within the PhotoSharing folders.

Cheers, Ian.  

novadonuk
Member
 
 
  

Re: Yahoo ID - Yahoo PhotoSharing

Post Posted: Fri Mar 08, 2013 8:33 am

Hi,

As mentioned in the link you provided, the base64 header for JPEGs is "/9j/" - have you checked for PNGs or GIFS? If you can't find a hit for any of these in the network_user.log then it looks like it hasn't saved any thumbnails, I'm afraid!

I do have a parser - I wrote one myself in Python, but it is a bit "raw" Smile

Happy to share the link if you want it.

Thanks,

Chris  

Chris_Ed
Senior Member
 
 
  

Re: Yahoo ID - Yahoo PhotoSharing

Post Posted: Fri Mar 08, 2013 9:07 am

Hi Chris.

Yeah checked for common headers and used Steven Buntings post as a ref point. Looks like no thumbs.

The script would be very useful thanks.

Cheers. Ian.  

novadonuk
Member
 
 

Page 1 of 1